Skip to content

Require Physical 2fa for Build WG & Web Infra members #4063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
flakey5 opened this issue Apr 7, 2025 · 7 comments
Open

Require Physical 2fa for Build WG & Web Infra members #4063

flakey5 opened this issue Apr 7, 2025 · 7 comments
Labels
build-agenda

Comments

@flakey5
Copy link
Member

flakey5 commented Apr 7, 2025
edited
Loading

Members of the Build WG & @nodejs/web-infra have access to sensitive resources. Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.

I think there should be a requirement for members to have some form of physical 2fa (i.e. yubikey) connected to their GitHub and other relevant accounts.

@nodejs/web-infra is relevant here since, even though members aren't under the Build WG governance, they still follow the Build WG contributor guidelines as per the website's governance doc.

I don't have an answer as to who's going to be paying for the keys however
@jasnell
Copy link
Member

jasnell commented Apr 7, 2025

Everyone in the Node.js GitHub org is, as far as I can remember, required to have general 2fa enabled on their accounts. Physical keys would be a good additional layer for folks on the build/infra/release teams. The foundation can likely be asked to pay for the keys. /cc @mcollina

@MattIPv4
Copy link
Member

MattIPv4 commented Apr 7, 2025

+1 to requiring physical hardware for authentication -- I have YubiKeys on my GH account. I wish GH had a way at the org level to require that 2FA on accounts is a physical factor, and can't be bypassed with another factor like GH mobile (it always gives me this option for sudo mode which scares me).

@ovflowd
Copy link
Member

ovflowd commented Apr 7, 2025
edited
Loading

+1 for Web Infra. We should also require 2fa (Physical) on 1Password which has access to Vercel and Sentry and our GitHub bot accounts.

@mcollina
Copy link
Member

mcollina commented Apr 7, 2025
edited
Loading

Despite this however, there aren't any actual requirements for 2fa to be enabled on a member's accounts afaik.

I think this should be a requirement.

I don't think there is money available to massively buy yubykeys for everyone, but it really depends on the volume.

@jasnell
Copy link
Member

jasnell commented Apr 7, 2025

... massively buy yubikeys for everyone...

We don't need them for everyone... just for the build, build-infra, web-infra, and release teams I would imagine. That would be about 25 keys, which should come to just under about $2k.

@richardlau
Copy link
Member

While requiring a physical key would increase security, I also think it would discourage volunteering. I have a physical Yubikey that I'm not using because it looks like it's not so straightforward to get it working under WSL.

@mhdawson mhdawson mentioned this issue Apr 14, 2025
Closed
@ovflowd
Copy link
Member

ovflowd commented Apr 24, 2025

I think we should have a flexible requirement either have a Passkey or a Yubikey. Passkeys are already more secure and usually tied to Devicesd (iOS Phones, Windows computers, Android phones can serve as a Passkey)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build-agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mcollina @jasnell @richardlau @ovflowd @MattIPv4 @flakey5